Skip to content

Issue

Cloudflare automatically issues certificates when you create a custom hostname.

Certificate authorities

If you create the custom hostname via API, you can leave the certificate_authority parameter empty to set it to “default CA”. With this option, Cloudflare checks the CAA records before requesting the certificates, which helps ensure the certificates can be issued from the CA.

Refer to this certificate authorities reference page to learn more about the CAs that Cloudflare uses to issue SSL/TLS certificates.

Certificate details and compatibility

For each custom hostname, Cloudflare issues two certificates bundled in chains that maximize browser compatibility (unless you upload custom certificates).

The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.